bind-dyndb-ldap

Clone

5c3312c Unload automatic empty zones which are super/sub/equal domain as forward zone.

Authored and Committed by pspacek 8 years ago
raw patch tree parent
4 files changed. 375 lines added. 17 lines removed.
src/Makefile.am
file modified
+2 -0
src/empty_zones.c
file added
+320
src/empty_zones.h
file added
+32
src/ldap_helper.c
file modified
+21 -17 
    Unload automatic empty zones which are super/sub/equal domain as forward zone.
    
    It allows queries to leak to the public Internet if:
    a) The query name does not belong to forwarded domain:
       - empty zone = 10.in-addr.arpa
       - forward zone = 1.10.in-addr.arpa
       - qname = 2.10.in-addr.arpa
    
    b) Forward zone is a superdomain but
       it failed and user configured policy != only.
    
    Limitation:
    Unloading logic is triggered only by zones in LDAP + global forwarder in
    named.conf. BIND does not have an API to iterate over complete list
    of forwarders configured from other sources (namely named.conf).
    
    This patch unloads empty zones without regard to forwarding policy.
    Removed empty zones are not loaded back when the conflicting empty zone
    is removed from LDAP. This was done to simplify implementation.
    
    https://fedorahosted.org/bind-dyndb-ldap/ticket/160
file modified
+2 -0
file added
+320
file added
+32
file modified
+21 -17
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.